What if the cyberattack wasn’t targeted at just anyone, but instead aims straight for the C-suite or company’s leaders? It’s not just a phish. It’s not a simple scam. This is “whaling”. It’s a big game, the stakes are high, the attacks are sophisticated, and the damage can be devastating. Let’s get started.
What is whaling?
Whaling is a type of phishing attack, but it targets high-ranking executives, leaders, or VIPs. This includes CEOs, CFOs, directors, board members, company owners, or the like. Standard phishing scams are broad and open to everyone, whereas whaling is precise and targeted at these VIP groups.
These attacks are often disguised as urgent requests, confidential financial transactions, or legal requests. They leverage detailed information about the company’s leadership team to craft fake emails which look like it’s coming from another executive.
How does whaling differ from phishing and spear phishing?
While whaling and spear phishing are types of phishing, let’s define the differences between these three scams:
- Phishing usually targets a broad audience using generalized fake messages in the hope that someone will respond, such as password resets or delivery notifications.
- Spear phishing is more focused and personalized and will aim at specific groups of people with a common interest, such as the latest deals on a shared online shop.
- Whaling is aimed exclusively at VIPs (executives, directors, etc.). The emails will focus on business-related topics, such as confidential financial results.
An example of a real-world whaling attack was when a CFO received an email that appeared to be from the CEO of the company. The email requested a large amount of money to be transferred urgently to finalize a critical acquisition. Everything looked legitimate but unfortunately, it was a well-researched scam that cost the company millions.
Tips to identify whaling scams
- Unusual or urgent requests: Any email demanding that you perform an action immediately should trigger an alert for you to be cautious before responding. For example, a request to transfer a large sum of money.
- Language and tone: These scams target executives so the language and tone will often be in a similar style of the executive they’re impersonating.
- Domains and spelling: A hacker can create an email address that looks almost identical to the official email address but contains small typos. In other instances, it can contain a completely different domain name.
How to protect your company from whaling attacks
Protecting against these attacks is a multi-layered approach, for example:
- Educate the C-suite: They need to understand that they are the target of these attacks. Therefore, it’s important to ensure they receive training about the different social engineering tactics that can be used to target them directly.
- Enable multifactor authentication (MFA): At a minimum, MFA should be enabled on any account that may perform sensitive transactions.
- Extra verification: VIPs should confirm with the requestor through a secondary method such as a phone call or secure messaging app BEFORE acting on a request.
- Use email security software: Security software for emails will be able to detect malicious emails and block them accordingly. They also have methods to safely report any suspicious emails for investigation.
- Limit public information: Executives should limit the amount of personal information they share publicly. This will make it more challenging for hackers to easily obtain information.
Whaling may be a lesser-known threat, but it could cause some serious damage if the attack is successful. Knowledge sharing for security awareness is an important part of prevention, so be sure to stay up to date and share your insight with others. Be secure!
